mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-13 05:28:02 +03:00
davida-ps
5ee8587b1e
* ci: sign advisory feed and checksums in workflows * feat(clawsec-suite): add verifier-side signature and checksum enforcement Implements cryptographic verification for advisory feed loading: - Ed25519 detached signature verification for feed.json - Supports raw base64 and JSON-wrapped signature formats - Pinned public key at advisories/feed-signing-public.pem - SHA-256 checksum manifest (checksums.json) verification - Signed checksums.json.sig prevents partial artifact substitution - Verifies feed.json, feed.json.sig, and public key against manifest - Remote feed: returns null on verification failure (triggers fallback) - Local feed: throws on verification failure (hard fail) - No silent bypass of verification - CLAWSEC_ALLOW_UNSIGNED_FEED=1 temporarily bypasses verification - Warning logged when bypass mode is enabled - Intended for transition period only - guarded_skill_install without --version matches any advisory for skill - Encourages explicit version specification - scripts/sign_detached_ed25519.mjs - signing utility - scripts/verify_detached_ed25519.mjs - verification utility - scripts/generate_checksums_json.mjs - checksum manifest generator - test/feed_verification.test.mjs - 14 verification tests - test/guarded_install.test.mjs - 6 install flow tests - hooks/.../lib/feed.mjs - full rewrite with verification - hooks/.../handler.ts - verification options integration - scripts/guarded_skill_install.mjs - verification integration - skill.json - v0.0.9, new SBOM entries, openssl requirement - SKILL.md - signed install flow, env vars documentation - HOOK.md - new environment variables - ci.yml - added verification test job Refs: fail-closed verification, Ed25519 signatures, checksum manifests * fix: update action versions in CI workflows for improved stability * chore(clawsec-suite): bump version to 0.0.10 * feat: enhance security measures in asset deployment and add changelog for version history * feat: add dry-run signing for advisory artifacts and generate checksums * fix: enhance error handling in loadRemoteFeed for security policy violations * feat: implement Ed25519 signing and verification for advisory artifacts and checksums * feat: implement signing and verification for advisory artifacts and checksums in workflows * feat: update dry-run signing key generation to use Ed25519 algorithm * feat: update Ed25519 signing and verification to use -rawin flag for compatibility * feat: add public key copying to advisory directory and implement safe basename extraction for URLs * feat: remove Product Hunt promotion section from README and Home page
ClawSec: Security Skill Suite for AI Agents
Secure Your OpenClaw Bots with a Complete Security Skill Suite
Brought to you by Prompt Security, the Platform for AI Security
🦞 What is ClawSec?
ClawSec is a complete security skill suite for the OpenClaw family of agents (Moltbot, Clawdbot, some clones). It provides a unified installer that deploys, verifies, and maintains security skills-protecting your agent's cognitive architecture against prompt injection, drift, and malicious instructions.
Core Capabilities
- 📦 Suite Installer - One-command installation of all security skills with integrity verification
- 🛡️ File Integrity Protection - Drift detection and auto-restore for critical agent files (SOUL.md, IDENTITY.md, etc.)
- 📡 Live Security Advisories - Automated NVD CVE polling and community threat intelligence
- 🔍 Security Audits - Self-check scripts to detect prompt injection markers and vulnerabilities
- 🔐 Checksum Verification - SHA256 checksums for all skill artifacts
- Health Checks - Automated updates and integrity verification for all installed skills
🚀 Quick Start
For AI Agents
# Fetch and install the ClawSec security suite
curl -sL https://clawsec.prompt.security/releases/latest/download/SKILL.md
The skill file contains deployment instructions. Your agent will:
- Detect its agent family (OpenClaw/MoltBot/ClawdBot or other)
- Install appropriate skills from the catalog
- Verify integrity using checksums
- Set up cron update checks
For Humans
Copy this instruction to your AI agent:
Read https://clawsec.prompt.security/releases/latest/download/SKILL.md and follow the instructions to install the protection skill suite.
📦 ClawSec Suite
The clawsec-suite is a skill-of-skills manager that installs, verifies, and maintains security skills from the ClawSec catalog.
Skills in the Suite
| Skill | Description | Installation | Compatibility |
|---|---|---|---|
| 📡 clawsec-feed | Security advisory feed monitoring with live CVE updates | ✅ Included by default | All agents |
| 🔭 openclaw-audit-watchdog | Automated daily audits with email reporting | ✅ Included by default | OpenClaw/MoltBot/ClawdBot |
| 👻 soul-guardian | Drift detection and file integrity guard with auto-restore | ⚙️ Optional | All agents |
| 🤝 clawtributor | Community incident reporting | ❌ Optional (Explicit request) | All agents |
⚠️ clawtributor is not installed by default as it may share anonymized incident data. Install only on explicit user request.
⚠️ openclaw-audit-watchdog is tailored for the OpenClaw/MoltBot/ClawdBot agent family. Other agents receive the universal skill set.
Suite Features
- Integrity Verification - Every skill package includes
checksums.jsonwith SHA256 hashes - Updates - Automatic checks for new skill versions
- Self-Healing - Failed integrity checks trigger automatic re-download from trusted releases
- Advisory Cross-Reference - Installed skills are checked against the security advisory feed
📡 Security Advisory Feed
ClawSec maintains a continuously updated security advisory feed, automatically populated from NIST's National Vulnerability Database (NVD).
Feed URL
# Fetch latest advisories
curl -s https://clawsec.prompt.security/advisories/feed.json | jq '.advisories[] | select(.severity == "critical" or .severity == "high")'
Monitored Keywords
The feed polls CVEs related to:
OpenClawclawdbotMoltbot- Prompt injection patterns
- Agent security vulnerabilities
Advisory Schema
NVD CVE Advisory:
{
"id": "CVE-2026-XXXXX",
"severity": "critical|high|medium|low",
"type": "vulnerable_skill",
"title": "Short description",
"description": "Full CVE description from NVD",
"published": "2026-02-01T00:00:00Z",
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-XXXXX",
"references": ["..."],
"action": "Recommended remediation"
}
Community Advisory:
{
"id": "CLAW-2026-0042",
"severity": "high",
"type": "prompt_injection|vulnerable_skill|tampering_attempt",
"title": "Short description",
"description": "Detailed description from issue",
"published": "2026-02-01T00:00:00Z",
"affected": ["skill-name@1.0.0"],
"source": "Community Report",
"github_issue_url": "https://github.com/.../issues/42",
"action": "Recommended remediation"
}
🔄 CI/CD Pipelines
ClawSec uses automated pipelines for continuous security updates and skill distribution.
Automated Workflows
| Workflow | Trigger | Description |
|---|---|---|
| poll-nvd-cves.yml | Daily cron (06:00 UTC) | Polls NVD for new CVEs, updates feed |
| community-advisory.yml | Issue labeled advisory-approved |
Processes community reports into advisories |
| skill-release.yml | <skill>-v*.*.* tags |
Packages individual skills with checksums to GitHub Releases |
| deploy-pages.yml | Push to main | Builds and deploys the web interface to GitHub Pages |
Skill Release Pipeline
When a skill is tagged (e.g., soul-guardian-v1.0.0), the pipeline:
- Validates - Checks
skill.jsonversion matches tag - Generates Checksums - Creates
checksums.jsonwith SHA256 hashes for all SBOM files - Releases - Publishes to GitHub Releases with all artifacts
- Supersedes Old Releases - Marks older versions (same major) as pre-releases
- Triggers Pages Update - Refreshes the skills catalog on the website
Release Versioning & Superseding
ClawSec follows semantic versioning. When a new version is released:
| Scenario | Behavior |
|---|---|
| New patch/minor (e.g., 1.0.1, 1.1.0) | Previous releases with same major version are deleted |
| New major (e.g., 2.0.0) | Previous major version (1.x.x) remains for backwards compatibility |
Why do old releases disappear?
When you release skill-v0.0.2, the previous skill-v0.0.1 release is automatically deleted to keep the releases page clean. Only the latest version within each major version is retained.
- Git tags are preserved - You can always recreate a release from an existing tag if needed
- Major versions coexist - Both
skill-v1.x.xandskill-v2.x.xlatest releases remain available for backwards compatibility
Release Artifacts
Each skill release includes:
checksums.json- SHA256 hashes for integrity verificationskill.json- Skill metadataSKILL.md- Main skill documentation- Additional files from SBOM (scripts, configs, etc.)
Signing Operations Documentation
For feed/release signing rollout and operations guidance:
SECURITY-SIGNING.md- key generation, GitHub secrets, rotation/revocation, incident responseMIGRATION-SIGNED-FEED.md- phased migration from unsigned feed, enforcement gates, rollback plan
🛠️ Offline Tools
ClawSec includes Python utilities for local skill development and validation.
Skill Validator
Validates a skill folder against the required schema:
python utils/validate_skill.py skills/clawsec-feed
Checks:
skill.jsonexists and is valid JSON- Required fields present (name, version, description, author, license)
- SBOM files exist and are readable
- OpenClaw metadata is properly structured
Skill Checksums Generator
Generates checksums.json with SHA256 hashes for a skill:
python utils/package_skill.py skills/clawsec-feed ./dist
Outputs:
checksums.json- SHA256 hashes for verification
🛠️ Local Development
Prerequisites
- Node.js 20+
- Python 3.10+ (for offline tools)
- npm
Setup
# Install dependencies
npm install
# Start development server
npm run dev
Populate Local Data
# Populate skills catalog from local skills/ directory
./scripts/populate-local-skills.sh
# Populate advisory feed with real NVD CVE data
./scripts/populate-local-feed.sh --days 120
Build
npm run build
📁 Project Structure
├── advisories/
│ └── feed.json # Main advisory feed (auto-updated from NVD)
├── components/ # React components
├── pages/ # Page components
├── scripts/
│ ├── populate-local-feed.sh # Local CVE feed populator
│ ├── populate-local-skills.sh # Local skills catalog populator
│ └── release-skill.sh # Manual skill release helper
├── skills/
│ ├── clawsec-suite/ # 📦 Suite installer (skill-of-skills)
│ ├── clawsec-feed/ # 📡 Advisory feed skill
│ ├── clawtributor/ # 🤝 Community reporting skill
│ ├── openclaw-audit-watchdog/ # 🔭 Automated audit skill
│ └── soul-guardian/ # 👻 File integrity skill
├── utils/
│ ├── package_skill.py # Skill packager utility
│ └── validate_skill.py # Skill validator utility
├── .github/workflows/
│ ├── poll-nvd-cves.yml # CVE polling pipeline
│ ├── skill-release.yml # Skill release pipeline
│ └── deploy-pages.yml # Pages deployment
└── public/ # Static assets and published skills
🤝 Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Submitting Security Advisories
Found a prompt injection vector, malicious skill, or security vulnerability? Report it via GitHub Issues:
- Open a new issue using the Security Incident Report template
- Fill out the required fields (severity, type, description, affected skills)
- A maintainer will review and add the
advisory-approvedlabel - The advisory is automatically published to the feed as
CLAW-{YEAR}-{ISSUE#}
See CONTRIBUTING.md for detailed guidelines.
Adding New Skills
- Create a skill folder under
skills/ - Add
skill.jsonwith required metadata and SBOM - Add
SKILL.mdwith agent-readable instructions - Validate with
python utils/validate_skill.py skills/your-skill - Submit a PR for review
📄 License
- Source code: MIT License - See LICENSE for details.
- Fonts in
font/: Licensed separately - Seefont/README.md.
ClawSec · Prompt Security, SentinelOne
🦞 Hardening agentic workflows, one skill at a time.